Hi everyone,
I'm fresh member, register on this forum less than 24 hours ago. I took the job of someone here regarding the CoinDice script sell by johny1976 (
https://bitcointalk.org/index.php?topic=507515.0)
The member who bought this script was seeking help to install and make it run on his server.
After several hours, it appear that the script provided is a total scam. I will on this topic, expose a technical review of it, I invite any developer PHP to participate and/or confirm my saying. As the script sold by johny1976 is not legitimate and, for everyone can check it, I will provide the source.
Source codehttp://s000.tinyupload.com/index.php?file_id=86885185801916457991SecurityThe script have multiples critical security issue, I found a lot and I'm sure we can still find more... Here some :
content/requestAccess.php
Line 13 : SQL Injection
if (empty($_GET['_unique']) || mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"))==0) exit();Line 14 : SQL Injection
$player=mysql_fetch_array(mysql_query("SELECT `password` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"));inc/start.php
Line 35 : SQL Injection
if (mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['unique'])."' LIMIT 1"))!=0) {Line 36 : SQL Injection
$player=mysql_fetch_array(mysql_query("SELECT * FROM `players` WHERE `hash`='".prot($_GET['unique'])."' LIMIT 1"));content/ajax/withdraw.php
Line 22 : SQL Injection
if (empty($_GET['amount']) || empty($_GET['valid_addr']) || empty($_GET['_unique']) || mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"))==0) exit();... (There is more injection SQL) ...
Incorrect codeI found multiple error in the code thats made the script simply useless. A lot of misuse, misunderstand of the PHP basic can easily be found in almost every file. After several hours of debug / rewrite the CoinDice script, I just understand that was a waste of time since this script has never worked at the first place. I'm not talking about some coding error that every developer can made, this script is a giant mess, it is unlikely to stay a not working script even with the best motivation in the world.
content/ajax/place.php
Line 98-115 : Error : PHP Notice: Undefined variable: cas_percprofit in /data/www/default/www/content/ajax/place.php on line 114
if ($settings['inv_enable']==1) {
$cas_profit=$profit*-1;
if (mysql_num_rows(mysql_query("SELECT SUM(`amount`) AS `sum` FROM `investors` WHERE `amount`!=0 FOR UPDATE"))) {
$cas_invest=mysql_fetch_array(mysql_query("SELECT SUM(`amount`) AS `sum` FROM `investors` WHERE `amount`!=0"));
$cas_invest=($serverFreeBalance-$cas_invest['sum']);
}
else $cas_invest = $serverFreeBalance;
mysql_query("UPDATE `investors` SET `amount`=(`amount`+(($cas_profit/100)*((`amount`/$serverFreeBalance)*(100-$settings[inv_perc])))),`profit`=(`profit`+(($cas_profit/100)*((`amount`/$serverFreeBalance)*(100-$settings[inv_perc])))) WHERE `amount`!=0");
$q=mysql_query("SELECT * FROM `investors` WHERE `amount`!=0");
while (mysql_num_rows($q) && $inv=mysql_fetch_array($q)) {
$cas_percprofit+=(($cas_profit/100)*(($inv['amount']/$serverFreeBalance)*($settings['inv_perc'])));
}
mysql_query("UPDATE `system` SET `inv_casprofit`=(`inv_casprofit`+(($cas_profit/100)*(($cas_invest/$serverFreeBalance)*(100)))+$cas_percprofit) LIMIT 1");
}content/ajax/divest.php
Line 20 : Wtf ?
if (empty($_GET['_unique']) || mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"))==0) exit();Line 26-28 : Wtf ?
if (mysql_num_rows(mysql_query("SELECT `id` FROM `investors` WHERE `player_id`=$player[id] LIMIT 1"))==0) {
mysql_query("INSERT INTO `investors` (`player_id`) VALUES ($player[id])");
}content/ajax/_stats_load.php
Whole file : Wtf ?
There is much more to say about it that it could take me my next 6 hours, (use of mysql, over deprecated, instead of mysqli or even better, stmt mysql), the include of external code that is clearly not made by you, the entire file located in js/includer.php or 0 sanitizing of the user input on the side server...
I invite any PHP dev to check the provided source on this topic, it is the original one given by johny1976. I burn my day on this job for nothing, I decided not to take any money from the member who recruiting me for his job, he lost already his money buying a unusable script.
I hope this member will get banned to avoid other people to fall into his scam, the only way to stop it was to do what I did, expose the source code. I see many other topics regarding this scam...
To johny1976 : If you want to defend yourself from this, what about to offer a online working demo ? I can see on each files of your script :
/*
* © CoinDice
* Demo:
http://www.btcircle.com/dice * Please do not copy or redistribute.
* More licences we sell, more products we develop in the future.
*/
Why did you remove the Demo ? Waiting for your reply... And in this topic not in PM.
Edit : I just found several Path Traversal vulnerabilities and a potential CSRF... I'm done with this script, I see enough
